Keeping abreast of the threat


The German Bundespolizei have announced what the BBC are calling a “bullet-proof bra“.

It may sound like a joke, but this is a serious matter – the policewoman who came up with the idea said normal bras can be dangerous when worn in combination with a bullet-proof vest.
“The impact of a bullet can push the metal and plastic bits of the bra into an officer’s body, causing serious injury,” said Carmen Kibat, an adviser on equal opportunities for the Hamburg-based Bundespolizei – Germany’s federal police force.
“I always thought normal bras posed a safety risk and I wanted to change that,” she said.

Now, I’m sure Frau Kibat’s heart is in the right place, and I would certainly not want it to be pierced by either a bullet or a brassiere clasp or underwire fragment, but I have to suggest here that “I always thought” doesn’t suggest that the decision to develop this article was made based on empirical data.
While I admit it’s interesting to see “Polizei” on a brassiere, it’d have been better to ask those that are concerned about the “risk posed by normal bras” to simply buy one that is made entirely of cloth, since they are readily available through non-governmental channels.
Photo: Reuters, via Die Welt

Instant Ice Age

Science reports in, “The Year the World Froze Over:”

It sounds like the stuff of science fiction, but nearly 13 millennia ago Europe was plunged suddenly into a deep freeze that lasted 1300 years–and the change happened in little more than a year, according to new data. The evidence also suggests that strong winds, not ocean currents, drove the rapid climate change.

Well worth reading.

Black Hat (Live) Blog: Keynote

Ian Angell from the London School of Economics gave a great keynote on complexity in systems and how the desire to categorize, enumerate, and add technology can break things in interesting ways.

An example of his: there’s an increasing desire among politicians and law enforcement to create huge DNA databases for forensic purposes, to aid in crime fighting and whatever. This will work until criminals start collecting DNA samples and scatter them at a crime scene creating confusion.

Angell didn’t mention a counter-measure, and I have one that I’m sure the politicos will want to use: make the possession of DNA a crime. There’s the obvious exemption for your own DNA, but this brings new and important expansions of the old standby of “inappropriate contact.”

This brings me to a complaint and irony about the “improvements” to Black Hat this year. The ironies occurred to me as Angell was speaking, talking about the ways added complexity brings new ways to fail.

One of the Black Hat improvements is that Black Hat is adopting a number of cool web-isms. There’s a Twitter feed, for example. They’re encouraging blogging by handing out blogging credentials for Defcon. This good and cool.

However, one of the other improvements is to move The Wall of Sheep from Defcon to Blackhat. Professor Angell’s cat Oscar would have a thing or two to say about that. However, Nick Matthewson of Tor said it best, I think.

If you are not familiar with The Wall of Sheep, it is a project in which the shepherds run a protocol analyzer on the network looking people using insecure protocols, plaintext passwords, and the lot. They quasi-anonymize them and then offer them up for what in Puritan days would be a pillory.

Nick’s comment about this, was that it’s a very 1990s thing. Here we are in the late aughties, and you have assume that if someone is at a security conference and using a non-secure protocol, that it is a lot like not wearing pants. If you’re at a conference in Vegas and someone there is not wearing pants, it’s probably wise to assume that they know they’re not wearing pants, and that they are not wearing pants for some reason.

I was paying enough attention at the time to note that Nick was wearing a kilt when he said that.

The Wall of Sheep is the Pants Police. They run a Pants Panopticon in which they rush around madly looking for people with no pants and posting them up on the Wall of No Pants. They’ve decided on their own that a lack of pants is a ridiculable offense, even for people who know they’re not wearing pants, and don’t care what you can see. Even moreso, they also post the mere rumor of pantslessness. I have heard tell that some people enjoy hacking the Pants Police by telnetting to some service and typing in usernames and passwords to be sniffed. I would never do that myself, but I’ve heard stories. They’re actually more the Pants TSA than the Pants Police, but Pants TSA doesn’t alliterate.

The Angell-quality irony here is that all these new communications systems that on the one hand we’re being encouraged to use are — questionable. Twitter looks a lot like knickers to me. And let’s face it, WordPress won a Pwnie award for the incredible number of vulns they’ve coded.

In short, you’d be a fool to use Twitter at Black Hat, or to blog, or — well, use DNS. For Pete’s sake, we’re being told to set up manual arp entries. (Yes, I know. You can use a VPN, or you mobile, or something else. That’s all very good, but once the Pants Police decide your Bermudas look like Speedos to them….)

The message of Black Hat that people should take away is that nothing is safe. That’s not necessarily bad. If we wanted houses to be safe as houses, we’d take out the windows and turn off the electricity. Technology is risk, as Angell said eloquently and entertainingly.

This is just more of the security wags naming, shaming, and blaming the victims. Is the message that one should take away from Black Hat is not to use a computer there? Even Professor Angell isn’t that pessimistic. He thinks that four ounces in an eight-ounce tumbler means you have too much glass.

Which is it at Black Hat? Web or no web? Pick one. Either Black Hat is (like Defcon) an open free-for-all in which griefing is just another way to spell 1337 and you’re a fool to bring electronics, or it’s an information exchange between smart people who blog, Tweet, and Plurk. Is a handshake a greeting, or a way to get a DNA sample? Are we using cutting edge or trailing edge technologies? If the former, remember that their security is going to suck until they get beat up — cutting edge techs can make you bleed. To phrase it another way, pick a century we’re in — 20 or 21. It matters less which one you pick than that you pick.

I hope it’s 21. I think Twitter is twee, but I’ve been using it and I smile when I do. (Plurk is much cooler, but I can hear The Good, The Bad, and The Ugly theme every time I go there.) I truly believe that blogging is just journalism in the cheapest free press civilization has ever had. AJAX is scary, but it’s scary in the way that driving a go-cart is scary. I don’t want to have to worry about the Pants Police, too, to make fun of me if I’ve misconfigured something I’m not as adept at as IRC. I’d like to deliver a live blog about the opening keynote on the day it was given, as opposed to while I’m still alive.

I think Black Hat is moving in a very good direction to make information flow better, more interesting, and more fun. Let’s just leave the old school hectoring back in era, and find out how to fix the new things by using them.

Does this mean we can revise our opinion of Friday the 13th?

Knights Templar Being Burned

According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.)

This adds up to a nice round €100 billion. The Telegraph didn’t say whether that is American billions (thousand million, 109) or English billions (million million, 1012), and given that the Templars were The World Bank of the turn of the previous millennium and there’s 700 years of interest involved, it’s not obvious how many zeroes need to go at the end.

Last October, the Vatican released copies of the parchments documenting the Templar Trials after having them been “misfiled” for over three hundred years. (My house has nearly as many books as the Vatican, squished into a much smaller space, so I completely understand how that could happen.)

These parchments reveal that in fact the Templars were found to be not guilty of heresy at the time, but Pope Clement V let them be disbanded and burned at the stake anyway because King Philip IV of France was being really cranky about it. (If you follow US foreign policy, you should completely understand how that could happen, as well.)

The major dodgy thing about the suit is that the Spanish group claims that their suit is not to reclaim damages but only to restore the good name of the Templars. Yeah, uh huh, sure. Then why aren’t you suing for a single Euro?

Perhaps the Freemasons will weigh in on this. Among the many Fun Templar Facts, there’s a surprisingly good theory that they’re founded by escaped Templars. Other Fun Templar Facts include that Friday the 13th is considered unlucky because that’s when they were all rounded up; that the burned Templar Grand Master, Jacques de Molay, was the 23rd Grand Master; and that Jacques de Molay was the inventor of Molé sauce.

Photo is of Jacques de Molay being sent to burn at the stake, via the GETTY and the Daily Telegraph web site.

Cleared Traveler Data Lost

Finger on print reader

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including

names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not include applicants’ credit card information or Social Security numbers, according to the company.

We are also told:

The information is secured by two levels of password protection, the company reported.

Two levels of passwords. Wow. I guess you don’t need to encrypt if you have two levels of passwords.

The TSA suspended enrollment of new customers, but existing customers can still use the service. So if you stole the data and can use it, you’re Clear.

Update: They found the device. Chron article here. “It was not in an obvious location,” said a spokesperson.

Privacy Enhancing Technologies and Threat Modeling

Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how you believe attackers will behave. This is somewhat unusual in two ways: first, it implies the need for a dynamic analysis, and second, that analysis will only function if we have data.

We often apply a very static analysis to attackers: they have these capabilities and motivations, and they will stick with their actions. This paper shows a real world example of a place where as attackers get more resources, they will behave differently, rather than doing more of what they did before. So actually operating a secure Tor system requires an understanding of how certain attackers are behaving, and how they choose to attack the system at any given time.

There’s a sense in which this is not surprising, but these dynamic models rarely show up in analysis.

Bonus snark to the Colorado team: why don’t you buy a botnet and see what you can break? (The Colorado team is the people Chris blogged about in “Ethics, Information Security Research, and Institutional Review Boards.”)

Solove’s Understanding Privacy

Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, and perhaps a practical one as well.

I’m going to walk through the chapters, and then bring up some of my responses and the reasons I’m being guarded.

Chapter 1 is “Privacy: A Concept in Disarray.” It lays out how broad and complex a topic privacy is, and some of the struggles that people have in defining and approaching it as a legal or social science concept. Chapter 2, “Theories of Privacy and Their Shortcomings” lays out, as the title implies, prior theories of privacy. Having thus set the stage, chapter 3 “Reconstructing Privacy“is where the book transitions from a review of what’s come before to new analysis. Solove uses Wittgenstein’s concept of ‘family resemblances’ as a way of approaching the ways people use the word. Privacy (as I’ve commented) has many meanings. You can’t simplify it into, say, identity theft. Solove uses family resemblances to say that they’re all related, even if they have very different personalities. Chapter 4, “The Value of Privacy” points out that one of the reasons we’re losing privacy is that it’s often portrayed as an individual right, based on hiding something. In policy fights, society tends to trump individualism. (Which is one reason the Bill of Rights in the US protects the individual.) Rather than calling for better protection of the individual, this chapter explores the many social values which privacy supports, bringing it closer to equal footing, and providing a policy basis for the defense and enhancement of privacy because it makes us all better off.

Chapter 5, “A Taxonomy of Privacy” is the core of the book. The taxonomy is rich. Solove devotes seventy pages to expounding on the harms done in not respecting privacy, and discussing a balance between societal interests of privacy and the reason for the invasion. In brief, the taxonomy is currently:

  1. Information collection: Surveillance, Interrogation
  2. Information Processing: Aggregation, Identification, Insecurity, Secondary Use, Exclusion
  3. Information Dissemination: Breach of confidentiality, Disclosure, Exposure, Increased Accessibility, Blackmail, Appropriation, Distortion
  4. Invasion: Intrusion, Decisional Interference.

I’ve tried to apply this taxonomy to issues. For example, when I wrote “Call Centers Will Get More Annoying,” I used the taxonomy, although not the words. There’s surveillance, secondary use, increased accessibility and (what feels like a form of) intrusion. What the taxonomy doesn’t do is capture or predict my outrage. I think that that’s an important weakness, but it may well be asking too much. Solove’s goals of a societal balance don’t admit my outrage as a key factor. They can’t. Outrage is too individual.

I’m also concerned that perhaps this isn’t a taxonomy. If you read the old posts in my taxonomies category, you’ll see that I spent a bunch of time digging fairly deeply into what taxonomies are, how they come about, how they’re used and abused. I don’t think that Solove’s taxonomy really fits into the core of a taxonomy: a deterministic way to classify things which we find, which various practitioners can reliably use. As in my example of the call centers, the flaws are legion, and some of my classification may be wrong.

At Microsoft, we use STRIDE as a “taxonomy” of security issues (STRIDE is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) I think, as a taxonomy, STRIDE is lousy. If you know about an issue, it’s hard to classify using STRIDE. The categories overlap. On the other hand, it’s very useful as an evocation of issues that you might worry about, and the same may be said of Solove’s taxonomy. I also don’t have a superior replacement on hand, and so I use it and teach it. Taxonomy-ness is not next to godliness.

My other issue with Solove’s taxonomy is that it doesn’t recognize the issuance of identifiers, in and of itself, as a privacy issue. I believe that, even before the abuses start, there are forseeable issues that arise from issuing identification numbers to people, like the Social Security Number. The act of enumeration was clearly seen by as an invasion by Englishmen who named the Doomsday book. The ability of the US government to even take a census is tied directly to the specified purpose of allocating legislative seats. I see it as self-evident, and haven’t been able to find the arguments to convince Solove. (Solove and I have discussed this in email now and then; I haven’t convinced him [that identifiers are, per se, a privacy harm])

Chapter 6 Privacy: A New Understanding closes the book with a summation and a brief discussion of the future.

The book has a strong policy focus. I am very interested in understanding how this new understanding intersects both broad laws and legal principles (such as the Fair Information Practices) and specific law (for example, HIPAA). The FIP, the OECD privacy statements, and Canada’s PIPED act all show up in the discussion of secondary use. I’m also interested in knowing if an organization could practically adopt it as a basis for building products and services with good privacy. I think there’s very interesting follow-on work in both of these areas for someone to pick up.

I also worry that privacy as individual right is important. Even though Solove makes a convincing case that that’s a weaker policy basis than the one he lays out, that doesn’t mean it’s not to be cherished as a social value, and I feel that the view of privacy which Solove presents is weaker to the extent that it fails to embrace this.

In closing, there are three major elements to the book: the first is to take us past the definitional games of “what is privacy.” The second is a serious attempt to address the “what do you have to hide” approach to privacy. The third is the taxonomy. Two of these would have been a pretty good book. Three are impressive, even as I disagree with parts of it. Again, this is an important book and worth reading if you work in or around privacy.

[Edited to own up to having written “divisional interference”, rather than “decisional interference.”]

SOUPS 2008, summarized

I really appreciate the way that Richard Conlan has in-depth blogged all of the sessions from the 2008 Symposium on Usable Privacy and Security. The descriptions of the talks are really helpful in deciding which papers I want to dig into. More conferences should do this.

There’s only one request I’d make: There’s no single “pointer post” which lists all the blog posts in a way I can easily link to. It would be great to have such a post on the Usable Security blog.